Compliance Chats

To help make compliance a little more relevant to the everyday, “Compliance Chat” videos are informal conversations where Senior Institutional Compliance Liaison Mary Gower meets with subject matter experts covering frequently asked compliance questions and issues in quick, bite-sized clips.

Compliance Training Videos

Cybersecurity Series

Data Security and Privacy

[May 2024] Regular assessments of your data, storage locations, permissions, and deleting unnecessary files and using strong passwords are recommended practices to ensure data security and compliance with federal and other requirements.


Today I'm joined by Raina Collins, Senior IT risk and compliance analyst at the University of èƵ System Office of Information Technology to talk about data security and privacy.

In our positions here at the University there are so many of us that are handling sensitive information, and data security and privacy are really critical issues. And many of us have a large digital footprint. By footprint, I'm referring to all of the documents, emails, videos, images and also our transaction records.Having this large digital footprint heightens our vulnerability to data breaches, which can result in identity theft, financial harm and damage to the University's reputation.

When I'm thinking about the compliance concerns here, these include, legal, regulatory obligations surrounding the data handling, storage, and retention. Managing this extensive data and controlling access is really challenging.

Raina, so many employees viewing this video have a large data footprint with the èƵ, including years worth of emails and stored documents, knowing that this presents an exposure risk to the èƵ. How do you suggest going about trimming back that risk?


I'd suggest starting with identifying the contents of the data that you have. Data can consist of emails, photos, videos, documents, spreadsheets and all kinds of unique file types. There's also a difference between working documents and documents for retention. Hint: emails are considered working documents.

  • Working documents are actively used during day-to-day operations. They serve as tools for collaboration, decision-making, and ongoing task management.
  • Documents for retention are retained for legal, operational or historical reasons. They're not actively used in daily work but are preserved for compliance, reference or recordkeeping. UA OIT is currently working to develop tools and resources to help people identify the kind of data they have, so stay tuned.

Also there's one caveat: although UA emails are regarded for document retention as "working documents", they are retained indefinitely through Google, and in that sense, are closer to retention documents.

This is why it's important to know the content of your data.

Now that we know what the data is, let's discuss location. Throughout UA, data can be stored in our Google workspace environment, Microsoft 365, department file sharers, Onbase or other dedicated data repositories.

So now that we've defined the what, and the where, let's discuss how much.

In many cases, the systems mentioned above have seemingly limitless capacity for storage, which can contribute to years worth of data and documents being stored.

As you noted already, this creates an extensive footprint. Our recommendation is to really look at what kind of data you produce, evaluate its sensitivity, then determine if you have to keep it for regulatory purposes or if it's just a nice to have. For things that you must keep for retention reasons, you can work with the OIT Records and Information Management office to help you determine where to keep them. For things that are for your own convenience or departmental record keeping, you should save it in a secure location that is appropriate for the type of data that it is.

Let's look at permissions more closely. Google Drive and Microsoft 0365 are designed to allow for easy sharing of data both internally with our co-workers, and externally with our stakeholders. This helps create efficiency in our work products, and allows us to collaborate worldwide. However the possibility of oversharing creates many kinds of cyber-security vulnerabilities.

There are many Federal requirements in place to protect UA data, and in support of them, we recommend you do a routine audit of your storage locations. Look at who those files are shared with, and then remove access where appropriate. Delete files that you no longer need, or find them a secure and permanent home. This type of review should always be done after employees leave or if they transfer outside of your department. But if this doesn't happen often, then at least annually.


Looking at the security of the data, in what instances are University employees expected to be, encrypting their emails, and using secure file transfer for their documents? Also, how do we go about that?

Wherever there's a need to send protected sensitive or private data, users should employ added encryption to keep their messages secure. UA users can leverage our large and secure file transfer service at which allows UA account holders to exchange secure emails within UA or with external stakeholders. We do not recommend sending secure, private or sensitive email messages via Gmail or Outlook.

Also to note, sometimes the best way to protect sensitive information is to avoid the temptation to put it in your keyboard in the first place. Rather than sending an email then deleting it, pick up the phone. Take care to not write anything in an email that you're not ready to read in a newspaper. And on that topic, consider the use of UA emails for personal business. While it is generally allowable under regent's policy, it's not always the best idea. UA emails are subject to public records requests, and unless there's a statutory shield that protects them, they may have to get delivered into the hands of a third party. It isn't precluded to use UA for emails for personal reasons, but it may not be the best practice overall.


Do you have any pointers for supervisors to help implement solid access controls, to limit who can access the sensitive information? For example, to ensure that employees only have access to the data that they need for performing their duties for the èƵ? Also what can supervisors do to make sure that access is removed as their employees transfer to different departments or leave the èƵ?

Absolutely. Supervisors can establish solid access controls, as I mentioned earlier, by establishing departmental policies that outline how their department will manage their data.It'll identify the roles surrounding data management and conducting regular reviews of access permissions, thereby aligning them with their employees' specific roles and responsibilities. That way they're ensuring that their employees are only accessing the data that is required for their job tasks.

They can also develop departmental policy on onboarding and offboarding, which creates a systematic process for granting and revoking access when employees first join or when they transition to other departments, or if they leave the èƵ entirely. We would suggest as part of the departmental policy to set up a schedule -- such as every 12 months -- to review these permissions even if they are still employed, because this would capture any role changes within the department.


In closing, we cannot really over-stress how important it is to really understand what data you're generating.

For instance the music department data is going to be completely different from research data, however they both might both deal with student related data. So if you're understanding what you're managing and the requirements of that data, is critical to managing data access wisely.

If you need further assistance including individualized help please contact OIT Security Operations at or visit OIT's website.

AI in Social Engineering

[June 2024] AI is revolutionizing social engineering. AI’s use of automation and stealthy techniques dramatically raises the stakes of cybersecurity.  Threat actors can create convincing written messages, voice mimicking and phone-based attacks.

I'm joined by Bill Anker, executive director of strategic programs at the University of èƵ system Office for information technology.


We're discussing social engineering using AI.
In recent headlines Forbes declared that AI is revolutionizing social engineering and likened generative AI to "social engineering on steroids." AI's use of automation and stealthy techniques dramatically raises the stakes of cyber security.


What used to amount to a peppering of emails with some clumsy grammar and misspelled words, now is really sophisticated.

It feels like we're entering into an alternative reality where you just don't know what's fake and what's real.


It’s a real problem. We're now living in the intersection of AI and social engineering and that's dangerous territory.

For example, threat actors can now create flawless, convincing messages in perfect English using tools like chat GPT that makes detecting fraudulent messages really challenging.


There are also voice mimicking and phone-based attacks. As many of you know, AI tools can generate lifelike spoken words that mimic specific individuals. This capability opens the door to phone calls that can convincingly imitate anyone, such as the head of finance, a chancellor or the èƵ president. Threat actors generally use a two-pronged approach. They start with credible emails and follow that by voice calls, adding a layer of deception to social engineering attacks.


That's troubling. I know that in addition to email and voice attacks, picture and video can also be AI generated. Are these so-called deep fakes a concern for the èƵ?


Absolutely. You may have seen deep fakes in the news recently. For example, as recently as this past February, a finance worker paid out more than $25 million in response to fake video requests from someone impersonating the Chief Financial Officer of the company.

Concern about election year deep fakes is in the news quite a bit and is leading to the introduction of AI related legislation to combat attempts to mislead voters during the 2024 election.

AI can be used to create deep fakes using pictures, video, and audio footage found in the public space. And with that they can pretty easily make completely realistic fake videos and fake virtual identities.


What are the big risks related to social engineering using AI for the University?

With AI's hyper-speed ability to analyze an employee's digital behavior, scams can take on an unsettling personalization, increasing the likelihood of successfully tricking our employees into providing access or sharing private information.


Beyond social engineering AI also accelerates the detection of vulnerabilities in systems, potentially leading to rapid breaches even before staff recognize a threat.

AI tools can autonomously probe defenses,learn from mistakes, distribute malware and extract sensitive data often bypassing traditional security alarms. Adaptive AI-powered malware can dynamically create real-time countermeasures against the èƵ's defenses resulting in more prolonged and disruptive attacks.


What are some countermeasures that we can take against AI fueled attacks?

This can be broken down into three main strategies. First, training our users to detect social engineering. Second, implementing improved authentication. And third, deploying AI based security controls.

Employee awareness and vigilance is by far the most powerful tool in our arsenal. The use of multi-factor authentication can reduce account compromises by up to 99%.

And finally, AI-based defenses can react and adapt to attacks in real time dramatically speeding up our response times. UA is already implementing the first two and is currently investigating the third.


Remember there is always time to verify the authenticity of a request. If you have any doubts, aren't expecting this type of communication, or aren't sure if you should proceed, reach out to the requester directly, using an alternate communication method.

For urgent matters contact your local service desk and if you need further assistance including individualized help do not hesitate to contact OIT security operations at or visit OIT's website.


Thanks Bill. I'm impressed with the work that you and the entire OIT team are doing on behalf of the èƵ to protect our online security.

Everyone thanks for joining this compliance chat. If you have any further questions, please feel free to contact OIT security operations.

Additional topics covered monthly


Additional topics covered monthly

Securing Devices During Travel

[December 2023] As a èƵ employee, is it ok to leave your laptop computer back in the hotel room when you travel?  What about using the Wi-Fi provided at the conference?  Whether you're traveling for research, presenting at a conference, or collaborating face-to-face at meetings within the state, as èƵ employees it is important that we make sure our devices and data are secure during our travels.


Hello I'm Mary Gower and today I'm joined by Sean Hagan, University of èƵ system’s Chief Information Security Officer and Aaron Menshouse, UAF's Export Control/Research Security Officer, to discuss the secure usage of smartphones and laptops during travel. We'll explore key strategies to safeguard your device and data while on the move.

Sean, first let's take a look at traveling in the United States. When I travel for work I always bring my laptop with me. What about the physical security of the laptop? For example on days where I don't need it at the conference, do I just lock it in the hotel safe?


First, only bring what you absolutely need. Try to minimize the number of devices and the amount of data that you carry with you while traveling.

You may wish to consider using a loaner laptop or even going so far as getting a temporary cell phone, especially if you're traveling overseas. Aaron will discuss traveling abroad further in a minute. Other things you can do: store your data in the cloud and not on your laptop, or you might store it on a secure USB stick, and we have those available for checkout from the IT units.

Before departure ensure your device is well prepared by updating the software. You may wish to set a temporary password that you would change when you return from your travels. You will want to review Wi-Fi or bluetooth settings to make sure that the device will not automatically connect to unknown or untrusted wireless networks.


Always maintain physical possession of your devices while traveling, and you may wish to avoid using public Wi-Fi unless you're certain that the wireless network is trustworthy. Instead you could rely on a secure Wi-Fi hotspot from your cell phone. Or you may be able to check out, or rent, a portable hotspot device. You can also use the UA VPN while you're traveling for added security.

If you plan to work on UA data while you're traveling, consider whether sensitive data may be visible to people -- say while you're crunched up in an airplane seat working on an airplane, or if you're in a lounge or hotel conference area or something like that. If you intend to work in those environments, or think you might, you may wish to purchase a screen protector which can make it harder for others to "shoulder surf" or view sensitive information on your screen behind you.


For international trips it's essential to contact your Export Control Representative in all cases before travel commences. This ensures compliance with regulations, and addresses any specific considerations related to foreign travel and those you may meet while you're on travel status. Contact information for these professionals can be found on the website following this video. If your device is lost or stolen during travel take immediate action. Report the incident to law enforcement and if you're traveling abroad the nearest U.S. Embassy.

If your device is UA owned or managed, or if it has any UA data potentially involved, please promptly report the loss or theft to the UA Information Security and Assurance team so that we can do necessary followup and mitigation work as needed. Contact information for our group can also be found after this video.


Aaron, Sean shared a couple of tips for international travel. What other considerations are there about device security when traveling internationally for the èƵ?


Additional cybersecurity considerations come into play. Firstly acquaint yourself with the specific regulations of the host country, which may differ from domestic standards. OIT can assist you with how to do this.

Be cautious of potential internet access restrictions and bolster data security with a VPN for encrypted connection. Internationally, prioritize device security by implementing robust measures like strong password encryption and multi-factor authentication. Stay vigilant about physical device security utilizing locks or secure bags to deter theft.


When accessing public Wi-Fi ensure a secure connection using a trusted VPN. Be aware of potential device inspections at borders and comply with local regulations. Sean mentioned using a loaner laptop from the èƵ or a temporary burner device for international trips. You can get the loaner laptop from OIT. Prepaid cell phones and international SIM cards can be purchased for use of temporary devices at local retailers.

Familiarize yourself with the èƵ's emergency response plan for international travel knowing whom to contact in the event of the cybersecurity incident. You can access it using the link below. Lastly, keep IT support informed of your travel plan.


As we travel on behalf of the èƵ it introduces new dimensions to online physical security. To mitigate these risks effectively it's crucial for us to stay informed and implement proactive measures as outlined here. 

If you have further questions, please contact:

  • UAF Export Control: Aaron Menshouse,, (907) 474-7832
  • UAA Export Control: George Kamberov,, (907) 786-5472
  • Information Security and Assurance (ISA),, (907) 450-8300


Phishing: Risks and Responses

[January 2024] Chances are that you've encountered phishing emails numerous times in both your personal and èƵ email accounts. Phishing is a deceptive tactic to trick individuals into disclosing sensitive information. These attacks frequently employ convincing yet fraudulent emails, messages, or websites that mirror trusted sources like colleagues or official èƵ channels.


I’m here with Jeanette Okinczyc the manager of Security Operations for the University of èƵ system OIT. Today we’ll discuss the realm of phishing attacks; exploring essential strategies to detect and counteract these cyber threats.


How to recognize phishing attempts:

When it comes to identifying phishing attempts it’s crucial to understand that phishing succeeds because we’re human beings, and that we are all at risk for becoming victims of a cyber attack. My advice is for people to know that they can always take the time to verify, trust their gut instincts, and when something doesn't seem right, pause and reconsider.

Phishing preys on our vulnerabilities, but by being proactive and cautious, we can significantly reduce the risk of falling victim to these deceptive tactics. If you suspect a phishing attempt, please mark it as phishing in the Google interface. This sends a message to the security operations team so they can assess whether the circumstances warrant warning other employees to be on the lookout for parallel attempts. And if you’re not a Google user, please forward the email to 


Motives behind phishing attempts:

Let’s explore the aim of phishing attempts. Phishing has diverse objectives including stealing sensitive information, financial gain, and gaining unauthorized system access. Recognizing these motivations is crucial for better protection.

Phishing aims to steal sensitive information, enticing individuals to disclose personal details. This requires a cyber security culture emphasizing security measures, user education, and constant vigilance. Financial gain is another motivation prompting caution when faced with requests for financial information. Strengthening financial cyber security defenses is vital.

Phishing also targets unauthorized system access, demanding a comprehensive defense strategy with regular updates, robust password policies, and employee training. Understanding these motives helps tailor defenses fostering resilience against cyber threats.


Examples of various phishing methods:

Phishing is not limited to just email, it can manifest through phone calls, text messages and other channels. For instance deceptive emails may contain malicious links or attachments, and phone calls can be impersonations of trusted entities, and text messages might attempt to trick you into divulging sensitive information. Being aware of these methods empowers our employees here at the University to stay vigilant across different communication channels.

Phishing is a pervasive threat that exploits human tendencies. By stressing verification, intuition and caution, we can thwart phishing. Stay informed, be proactive, and we can reduce the risk of falling victim to these cyber threats.

Feel free to contact OIT Security Operations at 907-450-8900 for more information.

Password Security

[February 2024] When it comes to passwords, it's more than just picking any combination of letters and numbers.  As we recognize the growing sophistication of hackers it's essential that we understand what truly makes a password strong and secure.  Also, hange your passwords at least every six months and consider using a password manager like Keeper or other available options to help encrypt, store, and manage your passwords.


Hello everyone I’m Mary Gower. Today we’re joined by Kaitlyn Malloy, UA Security Analyst at the University of èƵ system, Office of Information Technology to discuss password security.

Exploring password security is more than just creating easy-to-remember passwords, especially now that the era of using something like "123456" is far behind us.

As we recognize the growing sophistication of hackers, including their use of AI, it's essential that we understand what truly makes a password strong and secure. This is even more urgent and concerning with so much personal identity information ending up on the dark web.

Kaitlyn, how does all this impact our approach to crafting passwords, and could you provide key tips to ensure our information remains as secure as possible?


Yes, this is really important. When it comes to creating passwords, it's more than just picking any old combination of letters and numbers. We need to think about what makes a password really strong and safe.

Recently, hackers have become more adept and are leveraging advanced technology to infiltrate various systems. Here at the èƵ, these systems contain valuable data such as research findings, student records, and intellectual property. Hackers use artificial intelligence to exploit weaknesses in security protocols and gain unauthorized access. 

And, as you mentioned, this can also be a big worry personally because our own identity information can end up on the dark web.

So, let's talk about a couple of tips to keep your information safer.

The length of your password is crucial. While a 12-letter password may seem lengthy, it might not be sufficient to deter hackers. Aim for longer passwords, ideally 14 characters or more, for enhanced security. 

Additionally, incorporate symbols like exclamation points or hashtags to add a layer of protection. For instance, a 12-character password using only letters is quickly crackable, but a 14-character password incorporating numbers, symbols, uppercase, and lowercase letters is currently estimated to take millions of years to crack. Integrate a special character within the password itself, such as replacing an A with the @ sign, or a zero for an O.

Be unique. Yes, it is absolutely a security risk to use the same password for all your accounts. Never reuse a password, even if it has been unused for some time. And, I know most of us have done this, but just adding a new number to an old password is not sufficient. 


Three key ways passwords get hacked are by credential stuffing, dictionary attack and by brute force.

In credential stuffing, an attacker takes login credentials obtained from a breached account and tries the same email and password combination across various accounts and websites. This technique is particularly potent because many individuals reuse passwords, and if one password is leaked in a data breach, it can be exploited across multiple platforms. This is why it is SO important to not reuse the same password.

In the next way, brute-force uses a program to systematically try different combinations of letters, numbers, and symbols at a much faster rate than a human could ever manually attempt. A hacker can test up to 100 billion potential passwords per second. If your password is simple or commonly used, it is likely to get hacked.

Next, and similar to brute-forcing but more intelligent, a dictionary attack checks words from dictionaries, company names, sports teams, and other common terms. This method allows hackers to crack passwords even more rapidly by leveraging known words and phrases.


Change your passwords at least every six months and consider using a password manager like Keeper or other available options to help encrypt, store, and manage your passwords. More information on password managers is available at the OIT website /securitymatters/training/password_managers.php.


If you need further assistance, including individualized help, contact the Office of Information Technology (OIT) Security using the provided contact number (907-450-8900) or visit the OIT’s website /oit/.

Social Engineering

[April 2024}  Social engineering is the use of deception and or manipulation intended to essentially cause a person to divulge information they normally wouldn't. Cyber attacks may include social engineering techniques, such as phishing emails or phone scams, to manipulate us into revealing confidential information or granting unauthorized access. Without proper awareness and training, you may unwittingly be subject to social engineering scams.  


Hello everyone, I'm Mary Gower and today I'm joined by Joshua Craft at the University of èƵ system office of Information Technology. Josh is a security analyst. So today we're going to be talking about social engineering and we'll have a follow-up chat where we talk about social engineering using artificial intelligence. In a nutshell social engineering is using psychological tactics to manipulate people.

In an information security context, social engineering is the use of deception and or manipulation intended to essentially cause a person to divulge information they normally wouldn't -- and it's usually used for fraudulent purposes. So unlike a cyber attack, bad actors gain the trust of their targets so they give up that personal information.Imagine now at the University we have a researcher -- let's call him Greg -- who routinely communicates online with colleagues. And a hacker will target Greg and meticulously research his communication patterns.

Then posing as an IT support specialist this hacker begins to send three seemingly legitimate emails over the span of a couple of weeks. These emails discuss routine system updates, software patches, upcoming security measures, and project work. Each message is crafted to mirror the University's communication style. So what this does, is it makes it challenging to discern any malicious intent. After establishing a sense of familiarity and trust with Greg, the hacker sends a fourth email this time containing a link that appears to be a program specifically associated with Greg's research. Trusting the routine nature of the communication Greg clicks on the link redirecting him to a convincing but fake login page where he enters his credentials and unbeknownst to Greg his username and password are now in the hands of the hacker.


Another common scenario takes advantage of certain events or transitions for setting up an attack -- like at tax time or when employees are first starting a job. For example, a hacker carefully monitors departments within the èƵ, pinpointing recently hired employees in financial aid for example. After identifying the targets the hacker sifts through all this information about their recent office events, gathered from the campus newsletters, student newspapers or even the office's Facebook account. The hacker then will craft a personalized phishing email posing as a human resource employee. The email prompts the new employee to click on a link for èƵ onboarding training -- however that link actually leads to a phishing site designed to capture these log-in credentials allowing the hacker to gain unauthorized access to the new employee's sensitive financial aid data.


To prevent this from happening, start with being skeptical. Always approach unexpected emails, 

messages or calls with caution. Verify the identity of the sender through established and trusted communication channels before sharing sensitive information or clicking on links. If you're ever in question, reach out to that colleague. Send them an email, make a phone call, verify maybe they did or did not send those suspicious messages.

Additional counter measures could include training employees on recognizing phishing attempts and implementing Two Factor Authentication -- also known as TFA -- to add an extra layer of security beyond just the password.

Keep tabs on what's happening in security awareness and take training to learn to recognize and respond appropriately to social engineering attempts. You can check out the cybersecurity trainings at myUA. The simplest way to locate them is to search “data security” once you've logged in to myUA.


The best resource for learning the latest about all of these kinds of changes in the landscape are usually cybersecurity news articles. The principles of social engineering do not necessarily change through time -- it's their core kind of inner workings to hack the human psychology and get users to divulge information by exploiting them. There's a really great article called “Social engineering: definition, examples, and techniques”; on an online resource named CSO that I recommend looking up. It talks about many different elements of social engineering and examples as well.

For urgent matters, contact your local service desk. If you need further assistance including individualized help contact the Office of Information Technology Security at or visit the OIT's website.

University Compliance

Compliance Onboarding

[October 2023] The initial days as a new èƵ employee,  when people are shaping their initial perceptions of èƵ worklife, meeting their supervisor and colleagues, and settling into the new work space, is the key time for us to emphasize our commitment to compliance. It is crucial that employees realize this responsibility early. Non-compliance can lead to safety risks, legal consequences for the èƵ, reputational damage, financial losses, and disruptions in both operations and academics.


No matter your position, it’s crucial that all èƵ employees maintain compliance with laws, policies, and procedures. To understand why this is important, let's begin by discussing the risks of non-compliance.

Non-compliance can have significant repercussions. At the worst, failure to follow laws and regulations can result in injury, death, legal actions, fines, or lawsuits.

  • Legal Consequences can span safety, finance, research, and student rights.
  • Reputation Damage can harm enrollment, funding, and credibility, especially if legal issues arise.
  • Financial Impact of non-compliance may result in fines, legal fees, and reduced funding, affecting resources and donor support.
  • Operational Disruption can be significant. Violations require quick actions to make things right, which could disrupt academic functions and research.
  • Finally, this can include loss of funding and trust erosion. Failure to comply can risk grants and research support.


As a èƵ employee, let's take a look at what your compliance responsibilities include. These are grouped into: risks, mitigation, training and reporting.


It’s each of our responsibility to understand compliance risks relevant to our roles. Familiarize yourself with the policies, procedures, and laws that govern your work. You are expected to conduct èƵ business in a compliant and ethical manner. As an example of risk, imagine a hypothetical situation where researchers stored hazardous chemicals in a lab without proper containment and labeling. This risks chemical reactions, spills, and endangers lab personnel and the environment.  It can lead to potential accidents, injury and penalties.


This includes following established compliance activities, processes, and controls to mitigate risks. As an example, the èƵ has a risk mitigation plan concerning minors on campus.  This includes specialized training and establishing clear policies to prioritize the safety of the minors attending its programs.



As an employee, you need to complete all required compliance education and training for your position.  Speak with your supervisor to understand what the compliance requirements are of your position, and to identify relevant laws, Board of Regents policy, and University regulation, as well as training specific to your role.

Let’s consider what can happen with OR WITHOUT the right training. Imagine if a èƵ's event planning team arranges an inaccessible seminar, lacking ramps, elevators, sign language interpretation, or accessible materials. Or, consider the alternative. After participating in proper disability access training, the team knows to choose a venue with ramps, elevators, to provide a sign language interpreter, and accessible materials. This is not only lawful, it also demonstrates our commitment to inclusivity. 



As members of the University community, we all share the responsibility to foster a safe and ethical campus environment. If you observe any concerns, don't hesitate to speak up. Stay attentive, inquire, acquaint yourself with èƵ policies, and report any issues to your supervisor or other èƵ leadership. If you feel uncomfortable approaching your supervisor, you can report using the confidential and anonymous UA Hotline. The hotline serves as a system-wide tool for receiving tips on safety, financial or reputational risks. 

UA Confidential Hotline

Again, thank you for your time and let me know if you have any questions.

Protection of Minors

[August 2023] The increasing volume of minors in youth camps, UA events, middle-colleges and other affiliated programs underscore the significance of protective measures for the well-being of these younger students within the èƵ environment. Under Board of Regents’ policy Chapter 09.12 – Protection of Minors, the èƵ provides a policy and regulation framework designed to ensure the safety of minors participating in programs, events, and activities.


I'm here with Bridget Ballou and Jesse Benton to discuss protection minors at the University. As you walk around campus you likely have noticed the growing number of students under the age of 18 in class, in Residence Life, and in other Student Activities. "Protection of Minors" is a set of policies and measures aimed at keeping individuals under 18 safe and secure when they're on our campuses. Such policies reflect the institution's commitment to maintaining a secure and supportive space for all members of the campus community.


Three key things èƵ employees need to know about minors attending the èƵ are:

  1. Some èƵ employees involved in the protection of minor processes are "mandated reporters." The list of included employees is sent in Statue set by the state, which may change over time.

However everyone is encouraged to report whether they are a mandatory reporter or not. Mandatory reporters must submit a report to the state of èƵ's Office of Children's Services within 24 hours a reasonable cause to respect that a child has suffered harm as a result of abuse or neglect. This includes reporting requirements and follow-up investigation after the event has taken place, as well as here at UA, we report all concerns to the Equity and Compliance Office.

  1. Training and certification. Certain work teams and departments that frequently interact with minors, such as admissions teams assisting minors regularly, should provide staff with appropriate training and certification to handle situations involving minors effectively and responsibly.

  1. Employees need to start the Protection of Minors process at least 30 days prior to a minor event taking place on campus. Give yourself and your team or department plenty of time, because the process can involve multiple employees, work teams, background checks, and collaboration with external partners. 


Employees should be aware that certain activities involving minors may require heightened levels of supervision and additional mitigation processes. These could lead to different procedures, potential timeline delays, and the need for specific authorizations.

Decisions on such activities may be based on risk assessments, staffing considerations, equipment requirements or insurance coverage, among other factors. When volunteers and protection of minors activities are combined, there are additional procedures and authorizations that are needed.

These could involve risk management assessments, Title IX training, waivers and more, to ensure the safety and well-being of minors involved. As a best practice to protect both employees and minors, avoid being isolated or alone with a minor at any time. If such situations are unavoidable, employees should take steps to ensure the safety of both parties. For assistance in developing action plans for such scenarios, employees can reach out to their Protection of Minor’s contact.

The upcoming new protection of minors policy will require a minimum of two supervising adults to be present at every event involving minors, although there will be some exceptions.

Documentation and the retention of all records is vital to meet all the laws related to protection of minors.


If you see something of concern please make a report to the Office of Children's Services and notify your Protection of Minors contact. 

If you have ideas for future compliance chats please send them to


Title IX

[November 2023] Title IX is foundational for ensuring equal rights in education, preventing sexual harassment, and combating sex-based discrimination. Title IX includes provisions for pregnancy protections. It also provides essential safeguards and procedures to address misconduct in educational settings.

Regents Policy Chapter 01.04 – Sex and Gender-Based Discrimination Under Title IX

The Board of Regents of the University of èƵ System affirms its commitment to educational programs and activities that are free of discrimination on the basis of sex and gender.


Hello, I'm Mary Gower, and today I'm joined by Mitzi Anderson from UAS, Sara Childress from UAA, and Kaydee Van Flein from UAF to talk about Title IX protections here at the èƵ. 

Title IX is foundational for ensuring equal rights in education, preventing sexual harassment, and combating sex-based discrimination. It provides essential safeguards and procedures to address misconduct in educational settings.

Title IX also includes provisions for pregnancy protections. This, and other federal and state laws, ensure that pregnant students and employees have access to necessary accommodations and support to continue their work or education. The staff that support this work at UA play a pivotal role in upholding a safe and inclusive campus environment through their efforts to prevent discrimination and harassment.

Mitzi, my first question is for you. Let's say a coworker tells me that they are being sexually harassed. What do I tell them about how to make a report? Also, what happens after a report is made?


If the coworker believes they’ve experienced discrimination, they can report the incident online through the equity and compliance website. They can also report in person or over the phone to the Title IX Coordinator or their staff, or make an anonymous report through the UA confidential hotline. These resources will be shared later in this Chat. Also, a reminder that most èƵ employees are considered responsible employees. This means that, with few exceptions, University employees must report any incidents of sexual misconduct they become aware of to the Title IX coordinator or other designee within 24 hours of becoming aware.

This is because the èƵ is required to address any incidents of sexual misconduct about which a responsible employee knew or should have known. When reporting under Title IX, the process usually follows these steps. First, supportive measures are offered to the impacted individuals and additional information may be collected. If it appears that a policy violation may have occurred, the individual may choose to file a formal complaint and the University will then proceed with an investigation. This includes notifying parties involved that an investigation is being initiated, explaining their role in the process and that of others, such as advisors, and offering supportive measures and other resources throughout the entire process.


Following an investigation, if an informal resolution cannot be reached, a hearing with the opportunity for cross-examination will occur. Once a determination has been made on whether policy was violated, and after any appeals have concluded, the University will identify remedial efforts. If a violation is found, the èƵ must stop the discrimination, work to prevent it from happening again, and remedy the effects of the discrimination, which can include sanctions. Sanctions for a respondent employee found responsible for discrimination range from a written reprimand, disciplinary probation, suspension without pay,and up to termination for cause, following èƵ policy.


Thanks Mitzi. Sara, what's different about Title IX now versus ten years ago?


Well, compared to a decade ago, our current landscape is a significant contrast in awareness, process and action regarding Title IX-related  issues. We've seen frequent federal changes, 

prominent national cases, and influential social movements such as the #MeToo movement that have driven these issues to the forefront. Staying on top of these federal changes takes our departments' constant attention. We are consistently updating our processes and materials to align with the frequent federal regulation changes. Notably, in the past 10 years our universities have expanded their infrastructure, support and resources for the parties involved in sexual harassment and discrimination. 

Additionally, there is increased accountability for all aspects of Title IX processes. The updated regulations include specific requirements for how institutions must respond to Title IX complaints, placing a premium on ensuring a fair process for all parties involved. We've also intensified our focus on training. UA Safe is a custom-designed training module developed in response to feedback from both our students and our employees to reflect èƵ's special needs. In addition to UA Safe, TIX teams across the universities engage with critical stakeholders to create meaningful programming outside of the training module.


Thanks Sara. Kaydee, how can my department become a Title IX  partner?


Thanks so much Mary. There are specific steps the departments at our universities can take  to become Title IX partners. Departmental leadership can ensure that their team members complete UA Safe training annually and also confirm their employees' knowledge of reporting Title IX concerns or incidents. It can be as simple as asking your teams how and when they would report to the Title IX office. Encourage your teams to connect with their respective TIX teams and ask questions about processes, how to help others report and what to expect. 

We're happy to attend staff meetings to talk about challenges employees are facing and how we as Title IX can be good partners to all of you. Departments can request bystander or green dot training to better understand the èƵ's prevention and awareness programs, as well as understand how to recognize and safely intervene in potentially dangerous situations. They can also ensure all team members are familiar with an employee's pregnancy and childbirth rights to accommodations, which might include things like schedule adjustments, additional breaks, workstation modifications, and accessible parking. Finally, fostering a departmental culture that is inclusive, respectful, and free from discrimination and harassment is the best way to partner.


It's great to see colleagues leading by example and setting a standard for respectful behavior. Please reach our offices for opportunities to collaborate and ways you feel we can support you all in your respective teams. Thank you so much.


Thanks Mitzi, Sara and Kaydee. Everyone, thanks for joining us for this Compliance Chat, and if you see something of concern, please make a report.

For sex discrimination claims or other inquiries concerning the application of Title IX of the Education Amendments of 1972 and its implementing regulations, individuals may contact the University’s Title IX Coordinator, or the Assistant Secretary in the U.S. Department of Education Office of Civil Rights, or both:

UAA Title IX Coordinator

3190 Alumni Drive, Suite 352

Anchorage, AK 99508

Phone: 907-786-0818



UAF Title IX Coordinator

1692 Tok Lane, 3rd Floor Constitution Hall

Fairbanks, AK 99775-6910

Phone: 907-474-7300


UAS Title IX Coordinator

11066 Auke Lake Way

Juneau, AK 99801

Phone: 907-796-6371


Office for Civil Rights, Seattle Office

U.S. Department of Education

915 Second Ave., Room 3310

Seattle, WA 98174-1099

Phone: 206-607-1600

TDD: 800-877-8339


Additional topics covered monthly

Executive Branch Ethics Act Compliance

As èƵ employees, the Executive Branch Ethics Act (EBEA) provides us guidance for safely navigating situations such as compliant employment and contracting with the èƵ, and serves as our Standards of Ethical Conduct.

#7 Partisan Political Activity

[July 2023] In recent times, èƵ employees have become increasingly aware of the guidelines and restrictions surrounding their political activities. It is essential to understand the parameters set by the Executive Branch Ethics Act, and Board of Regents’ policy about partisan political  activities. This latest installment of the "" video series provides a brief yet comprehensive overview of the guidelines aimed at avoiding potential issues concerning political activity.


The Executive Branch Ethics Act states that UA employees cannot use any UA resources - meaning funds, facilities, equipment, services - for partisan political purposes. That phrase “partisan political purposes” has a specific meaning. It's the intent to differentially benefit or harm a candidate, or potential candidate, for elective office; or a political party; or a political group. It does not include having the intent to benefit the public at large, through the normal performance of our official duties.

This includes municipal elections as well. Even though municipal elections are supposed to be nonpartisan, they still fall within this definition of partisan political activity; so using UA resources to support a candidate still counts as partisan political activity even if it's a municipal election.


Isn't that an infringement on our right to engage in political activity?

The EBEA doesn't tell us that we cannot endorse candidates, or campaign, or make donations in our individual capacities - we still have all those individual rights - it just says that we cannot use our access to UA resources for those activities. Employees can endorse a particular candidate or take a position for or against a ballot proposition in their individual capacity; it just says that they can't use UA resources in order to do so.


I've seen candidate debates on campus, is that permissible?

A candidate debate, as long as all the candidates are invited and treated equivalently, does not have the intent to benefit or harm any individual candidate, so does not violate the statute. And the people who within the èƵ are working to set up those candidate forums are working to benefit the public interest at large through the normal performance of their official duties as long as they don't manifest any favoritism in setting those events up.


What about political rallies or party conventions held on campus?

If there's a meeting room, or arena, or other facility that UA offers to rent out to individuals, or businesses, or other entities, those facilities can be rented out on equal terms for a campaign, or a political party, or a political group. As it's got to be on the same terms, and it's got to be on the same price that we would be willing to let it go out for a business convention or something like that. And we have to be willing to offer that same arrangement to any of the candidates running against that person. We would need to rent facilities out to campaigns in the same way that we would rent them out to any other entity.


Displaying or distributing partisan political material while engaged in an official UA business is not permissible. If you are working off-site, you can have the campaign materials in your own home work area, just keep the materials out of the background when you're on an official Zoom call.

Activities on your own time and away from your work area, such as employees that wish to waive campaign signs on a street corner during their lunch time, are okay as long as you aren't using any UA resources. So if you want to campaign, you can take personal leave or faculty time off and use that time for campaigning away from your work area. The èƵ does not limit that to unpaid leave.

Employees can have their name listed in a campaign ad, but we recommend you not include your UA affiliation or if your picture is going to appear in the ad don't have it taken by some UA Landmark or containing a UA logo.

It can be appropriate to list your profession, like college professor, since UA is not the only college in èƵ, but avoid mentioning the University of èƵ by name.


What about legislators visiting a campus?

Legislators often have very good reasons to visit a campus to learn more about a particular program, or learn more about the èƵ in general, that's not a violation of the EBEA. And we can arrange events to give legislators a tour or something like that.

We do try to be careful to caution the legislator not to turn the visit into a campaign event and similarly a political science professor might want to have a legislator come in to give a guest lecture on some topic - that furthers UA's educational mission, and that's permissible; again assuming we're careful to avoid having it turned into a campaign activity.


What if I write an email to a legislator from my UA email address about an important topic, would that get me into trouble?

We recommend for several reasons that when you're going to be writing to a legislator that you use your private email address for that and do so outside business hours. 

There are many reasons for that:

  1. It's too easy to inadvertently step across the line between lobbying and electioneering. If I am telling a legislator “I want you to support this bill that's lobbying and that's not prohibited by the EBEA but if that email says I want you to support this bill and if you don't I'm going to start making contributions to whoever your next opponent is.” In this example I've crossed that line -- that's electioneering, and I can't use UA resources for that.

  2. Using a UA email address can convey the impression that I'm speaking on behalf of the University. Regents' policies state that if I'm communicating with a legislator or with someone in the governor's office, the president has to authorize that kind of official communication. Even though it might not amount to a violation of the partisan political activity prohibition, it would violate this other Regents' policy about being an official spokesperson on behalf of the University.

  3. Even if my email says I'm just talking in my personal capacity, for example because I'm on the board of my kids soccer league and I want support for funding intramural sports, remember the EBEA prohibits us from using UA resources to further our personal or financial interests. So even though it may not be partisan political activity, if I'm using UA resources to further my personal interests, that's still forbidden by the EBEA entirely aside from whether it's partisan political activity or not.

  4. Even if it's something on which the president has authorized me to write an email to legislators – and this frequently comes up when somebody is targeting the èƵ budget for cuts, and the president will say "we want to encourage you to have your input to the Senate finance committee or the house finance committee on this" some legislators when they see an email coming with a UA email address down at the bottom will discount those points that you're trying to make in the email.

  5. Sometimes we get complaints from legislators who have gotten emails from a UA email address and we have to investigate those and even though if we look at them and decide this is not partisan political activity, it still takes time and resources to conduct that investigation, and so our strong recommendation is if you if you want to write to a legislator it's almost always preferable to do so using your private email.

Those aren't all the reasons, but they're some of the more important reasons why we always encourage if you're writing to a legislator or to somebody in the executive branch use your private email for that rather than a UA email.


What about students who are not University of èƵ employees, but they use their UA email address to engage in partisan political activities?

Well, the executive branch ethics act says that even though the students themselves if they're not employees are not bound by the EBEA, we cannot either use, or authorize the use by somebody else, of UA resources. So if we learn of a student who has been sending out partisan political activity we do have a responsibility to not authorize that use by contacting the student and saying we would respectfully request that you refrain from using UA emails for partisan political activity.


Student political clubs are allowed to use their own funds, including funding they have may have from the student government, in order to engage in partisan political activity that's why they exist in the first place as long as they don't abuse that discretion by doing something that would violate the EBEA or other provisions of law like trying to disguise funds that do come to the student political club from a political party.

But they do have more flexibility to engage than what we as University employees would be able to do as far as the political activity.


What if an employee wants to run for public office?

Well an employee doesn't have to resign from the University in order to run for office but may have to resign if they win.

If you're going to run you should disclose that as an outside activity through the outside activity disclosures that we've previously discussed, and the same is true if you're going to be a Treasurer or other have some other official role in somebody else's campaign. If you win, you may need to resign at that point.

State legislators are not allowed to hold a position of profit with the state, so would have to resign from a full-time UA position before getting sworn in as a legislator.

Under certain narrow circumstances you might be allowed to continue to teach courses as an adjunct as long as it is temporary and non-salaried, but that's a fairly narrow exception. For the most part people who get elected to a municipal board or to a school board don't have to resign but would need to report that also as an outside activity.

If you get elected mayor it depends on whether it's a full-time job or not. If it is a full-time job as mayor then it may be not compatible to work full-time for both the mayor's office and for the University. Not because of any partisan political activity prohibition, but because the outside activity rules make it virtually impossible for any UA employee to have two full-time jobs.


For more information check out the general counsel ethics website /counsel/ethics-information/.

If you have ideas for future compliance chats please send them to

#6 Misuse of Official Position

[June 2023] At the University of èƵ issues such as misuse of official position are addressed in the Executive Branch Ethics Act (EBEA). Regarding our use of our official positions, the EBEA states that employees may not “use, or attempt to use, an official position for personal gain, and may not intentionally secure or grant unwarranted benefits or treatment for any person.”


"Misuse of Official Position" has some very similar aspects to the topic of "Improper Influence in Grants, Contracts, Leases and Loans" which we already talked about.

The Grants, Contracts, Leases and Loans statute is narrower in the sense that it only deals with Grants, Contracts, Leases and Loan whereas Misuse of Official Position statute talks about any kind of matter, not just one of those four.

But the Grants, Contracts, Leases and Loans statute is also a little broader in that it prohibits me from holding a specific UA position affecting a personal or financial interest in a particular grant, contract, lease or loan. Whereas with respect to Misuse of Official Position, it tells me rules that I have to abide by, things that I cannot reach out and try to do, but it wouldn't make me leave that particular position with the èƵ.


An example: It's best to think of Grants, Contracts, Leases and Loans in terms of nepotism. If my son and I are both working for the same unit, then he cannot be my supervisor no matter how careful he's being to treat me the same as all his other direct reports. That's just a rule, period, that he cannot be in that position.


How is the Misuse of Official Position statute different?

There's a general rule that we may not use or attempt to use our official positions for personal gain, and may not secure or grant unwarranted benefits or treatment for any person.

And that is followed by six specific prohibitions.

The sixth needs its own chat as that deals with Partisan Political Activity which can take some time to cover.


Number one is we cannot seek other employment or contracts through the use or attempted use of our official position.

What you cannot do is to use your official position to provide somebody with any favors in order to get that job offer as a quid pro quo.


Example, implying that a letter of reference is tied to whether or not a position is open.

It's okay for me to write letters of recommendation, and it's okay for me to inquire about job openings, but once I link those two together and imply that how the letter comes out might depend on whether I got a job offer that's prohibited.

Similarly,  if I'm steering University business towards a company with an understanding that they'll hire me after I leave the èƵ, that's prohibited.


Two, a UA employee cannot accept receive or solicit compensation for the performance of official UA duties or responsibilities from anybody else other than the University.

That could include a $5 tip - or any compensation. Don't accept anything of value offered as compensation for your University work.


They can make a contribution to the èƵ, but not to me as an individual.


What if I'm being compensated for work that I did for another employer and not the University?

As long as you disclose that as an Outside Activity, and got that approved, you're OK. That's why it's important that outside activity occurs away from regular UA work time.


The third one is a UA employee cannot use UA time, property, equipment, or other facilities to benefit personal or financial interests.

Example: using UA vehicle on the weekend.

It applies to any significant property.


The fourth, an employee cannot take or withhold official action in order to affect a manner in which the public officer has a personal or financial interest.

That is one point of difference between this statute and the Grants, Contracts, Leases, Loans statute

If the matter in which you have an interest does not concern a grant, contract, lease, or loan, then your job can still include duties concerning that matter as long as you were very careful to individually avoid taking or withholding action anytime that matter comes up.


Remember the definition of official action is very broad and can include any involvement advice, assistance or recommendation.

So that broad definition of "official action" means that we have to be very careful.


The fifth one is, we cannot attempt to benefit a personal or financial interest through coercion of a subordinate, or require another University employee to perform services for our private benefit at any time.


Example my employees have offered to help me stain my deck, is that ok? What if I pay them?

If it's truly voluntary on their part, there's no violation. But if you bring it up as their supervisor it may be received as a thinly veiled requirement.

So if you need help it should be from someone other than your subordinate.

Regarding compensation, the rule still applies, though paying them does make it seem less likely that you are coercing them, or are requiring them since they could say no more readily.


What if the helpers are students?

You should apply the same rule as to any student over whom you have any kind of authority.

There isn't a specific definition of subordinates in the statute, but we don't want UA employees to be trying to coerce students any more than we want them to be trying to coerce direct reports.

If you have ideas for future compliance chats, please email them to

#5 Restrictions Post-Employment

[May 2023] Most obligations under the Executive Branch Ethics Act end with the termination of èƵ employment with two exceptions.  This includes (1) the information that we glean from our UA official duties and (2) the other has to do with advice, assistance, and representation. 



If an employee is about to retire or leave the èƵ to take another job, does that mean that their èƵ Executive Branch Ethics Act obligations are complete at that point?

For the most part, yes. Bear in mind if you're going to work for another employer, that employer may have their own ethical obligations and in particular if you go to work for the State of èƵ you'll be bound by the same Executive Branch Ethics Act that governs us as UA employees.  But, for the most part, once we leave employment with the èƵ we don't have to follow the EBEA anymore but with two exceptions.  This includes (1) the information that we glean from our UA official duties and (2) the other has to do with advice, assistance, and representation.

  1. Current and former employees have an obligation to continue keeping confidential that information that is confidential by law and also to refrain from using or disclosing any information that might have any benefit for myself or for an immediate family member. And those obligations still apply even after the employee leaves èƵ employment. The obligation to keep confidential that information that is confidential by law is indefinite and permanent.
  2. For two years after leaving UA employment employees cannot advise, assist, or represent someone on a matter that was under consideration by the administrative unit for which they worked, and in which they personally and substantially participated. This exception is temporary and it's also waivable and it doesn't really come up very often.


Examples of prohibited post-employment activity for a period of two years after you leave employment include:

  • Employee is on a hiring committee; a dissatisfied job applicant is thinking about suing the èƵ and wants to hire this employee to be a consultant.
  • Employee was on the selection committee for a contract award or otherwise participated personally substantially in it; one of the people or businesses who put in a proposal that was not selected wants to pay the employee to be an expert witness.  
  • Employee was on a grade review committee;  and the student wants to appeal that determination to Superior Court and wants to pay the employee to help write that appeal.
  • Employee helped write a èƵ regulation or a Regent's policy;  outside employer wants to pay for employee’s help in lobbying the Board of Regents to change it. 


This rule applies only if it is for compensation. Compensation is defined pretty broadly so it also includes travel reimbursement.  But if it is something you are doing with no compensation at all then it is not a violation of the statute.  But, with or without compensation, you still have the duty to respect the information limitations.  So even if there's no compensation, you cannot disclose information that's confidential by law, or disclose or use information that could be of any benefit at all, whether financial or not, to yourself or a member of your immediate family.


The bar on assistance, advice, or representation only lasts for two years.  As we discussed earlier, if you are, in the course of providing this advice or assistance, drawing on information that's confidential or that could benefit you or a family member and has not been publicly disseminated yet, that information protection obligation remains in place. The restriction that is specific to advice, assistance or representation for compensation is two years. 


There's a specific provision in the statute that says that if it is the University that wants you to come back to work for them as a contractor, or maybe as an employee, then this prohibition doesn't apply. There are some wage and hour rules and retirement rules that might have limitations on how quickly you can do that but the ethical obligation doesn't apply if it's the same agency like the èƵ that wants you to work on that issue. 

If it would be to work for someone else under this provision rather than the èƵ, the former employee can apply to the èƵ president to waive the bar of that statute if the èƵ president is convinced that it's not adverse to the public interest. That waiver has to be submitted to the Attorney General's office for approval.

For more information, contact the General Counsel’s office (907-450-8080) or the Attorney General's office (907-269-5100).

#4 Avoiding Improper Influence

[April 2023] The EBEA states that “employees, or an immediate family member, may not attempt to acquire, receive, apply for, be a party to, or have a personal or financial interest in a state grant, contract, lease, or loan if the employee may take or withhold official action that affects the award, execution, or administration of the state grant, contract, lease, or loan.”


This section of the Executive Branch Ethics Act restricts employees and immediate family members from having a personal or financial interest in University or state contracts, grants, leases or loans if the employee may withhold or take action official action that would impact the outcome. 

It protects that principle in two ways: a disclosure requirement and a prohibition.

Disclosure requirement:

As UA employees we have to report in writing to the ethics supervisor a personal or financial interest held by ourselves, or our immediate family members, in any UA grant,  contract, lease, or loan, that is awarded, executed or administered by the èƵ. 


As a UA employee neither myself, nor any immediate family member, may enter into, or try to enter into, or apply for, or have a personal or financial interest in, any èƵ grant, contract, lease or loan if I may take or withhold official action that affects anything about that grant, contract, lease or loan.


Examples of issues that need to be disclosed:

The most common is if two immediate family members are each employed by the University, at least one of them has to disclose that in writing to the ethics supervisor. And this situation is so common that there's a specialized form we use for disclosure of employment of an immediate family member. Immediate family member(s) not employed by UA submitting a bid to become a private contractor would still be a personal or financial interest and need to be disclosed.


Can my immediate family member be an employee or a private contractor?

The disclosure requirement covers a broader array of contracts, grants, leases, or loans, than the prohibition does -- most of the disclosures made by employees are situations that are not prohibited. If the employee has any influence, even in an advisory role, over the grant, or contract, or lease, or loan, it triggers a prohibition. An advisory role is still official action.


If I don't have any influence at all, such as a decision made by a separate component of UA, is it prohibited?

Then although this still has to be disclosed, your immediate family member is not prohibited from applying for that, as long as neither immediate family member has any kind of supervisory role with respect to the other. In other words, is not in a position from which they can participate in any employment, or grievance, or compensation, retention, promotion, leave, or other personnel decisions concerning the other family member, then that's permissible.  The disclosure still has to be made, but no remedial action will be necessary beyond that. 

Possible scenarios:

  • If the immediate family member is trying to contract with the èƵ on a matter that's completely unrelated to the employee’s position or authority the disclosure still has to be made, but they are not prohibited from applying. 
  • If the immediate family member would be prohibited from applying because the èƵ-employed family member has a supervisory role, the ethics supervisor can make an assessment in that situation to explore if it's feasible to reassign duties away from the family member to someone else. If that is found to be feasible, that's the preferred solution to address a potential conflict.
  • If your immediate family member wants to apply for a position that you would normally supervise, then the ethics supervisor can work with your work supervisor to see if it is practical to take those particular supervisory duties away from your position, and assign them to another position. If it's practicable to do that, then the ethics supervisor writes up a formal memo to accomplish that, and once your work supervisor approves that reassignment memo, then you don't have that supervisory authority anymore. It's not always feasible to make that reassignment, but where it is, and where that's properly documented, that fixes the problem. 

#3 Use or disclosure of information

[February 2023] Everyday in our èƵ jobs we hear and read interesting information and sometimes it can be difficult to figure out whether it is OK to share that information with friends and family members. As èƵ employees, the Executive Branch Ethics Act provides guidance for these situations, and serves as our Standards of Ethical Conduct. 

Question One (00:09)

Does the duty not to use or disclose information apply only to information that is confidential by law?

No, and the duty not to use or disclose information has two parts.

Part one is limited to information that is confidential by law. Current and former employees can not use or disclose, without appropriate authorization, information that is confidential by law.

Examples of information that is confidential by law are:

Information that's protected by FERPA (student records) would be one obvious example. Basically if there is a law that says the University has a duty to keep information confidential, then all èƵ employees have an ethical as well as a legal duty to keep that information confidential.

Part two is a little more involved. Even if the information is not confidential by law, if it is information that the employee received through their official duties, and if that information could in any way result in a benefit for the employee or the employee’s immediate family members, then the employee cannot use or disclose that information if the information has not been disseminated to the public.

This requirement is not limited to financial benefit. It includes anything that is to a person’s advantage or self-interests, or from which a person profits, regardless of the financial gains. So it includes financial benefits, but it also includes service, privilege, exemption, patronage, advantage, advancement, or really anything of value.

Question Two (01:50)

How far does the “immediate family member” group extend?

“Immediate family member” would include a spouse or domestic partner, child or children  (including stepchildren and adopted children), parent, sibling, grandparents, aunts and uncles, and my father-in-law, mother-in-law, or sibling-in-law. So if I, as a UA employee, have any information that could benefit somebody in that group and in that scope, then I cannot share it. Or if one of my immediate family members is employed at UA and that person has information that might benefit me, then they cannot share that information with me.

Question Three (02:28)

If I know of someone that is outside the University who has learned the protected information, does that count as being publicly disseminated?

No, the state regulations have a specific list of things that have to be met in order for information to be regarded as being publicly disseminated. If it has been distributed through a newspaper or other printed publication; through broadcast media; a press release; a newsletter; a legal notice; a nonconfidential court filing; a published report; a UA website; posting on the èƵ Online Public Notice System; a public speech; or public testimony before the legislature or an agency.

Information that has not gone public through one of those channels, even though it may have to be produced in response to a public records request,or it may have otherwise been accessed by a member of the general public, it has not been "disseminated" to the public. So we should not disclose or use it if it might benefit ourselves or our immediate family members.

Question Four (03:36)

Who do we report it to if we suspect that someone has shared protected information, and what are the consequences?

It should be reported to the ethics supervisor for the particular unit of the èƵ for which you are working. And those are listed on the ethics website for the general counsel's office. It may also have to be reported some place else, if it entails a crime or Title IX violation or something like that, but the place to start would be the ethics supervisors. Disciplinary action for an employee sharing protected information would follow the same progressive discipline approach that any other violation of policy would for an employee.

Question Five (04:19)

After we stop working for the University, are we released from these obligations?

No, these requirements regarding the sharing of confidential information apply to current and former employees. Most provisions of the Executive Branch Ethics Act stop being applicable to us when we stop working for the èƵ, but these particular provisions apply to former employees. So even after leaving the èƵ's service you still have these obligations to keep that information confidential.

If you have ideas for future compliance chats, please email them to

#2 Outside Activity or Employment 

[January 2023] It’s important that employees be familiar with the guidance that covers the reporting requirements and restrictions on outside employment. All UA employees, full or part-time, are subject to the outside employment restrictions set forward under the Executive Branch Ethics Act (EBEA), which serves as UA’s Standards of Ethical Conduct and its implementing regulations published by the Department of Law.  

Scenario one: (00:26)

Kaya is a UA faculty member and is contacted by John Hopkins University to work on a research project on a part time basis. What are the steps that Kaya needs to take in considering this opportunity and making sure that she's compliant?

First Kaya should talk informally to her work supervisor about the prospect and about any potential drawback.

Then get a form for disclosure of activities outside the University of èƵ and answer the questions. Once signed it goes to the supervisor for approval and then to the designated ethics supervisor who reviews the whole package for compliance.

Note UA resources are not to be used for outside work.

Scenario two: (2:30)

Sam is a supervisor and receives a disclosure form of outside activities or employment. What are the top three things that he should keep in mind when looking to approve or to possibly not approve this request?

One: whether the outside activity will take time away from the employee’s official èƵ duties.

Two: whether they're going to limit the scope of the employee's official èƵ duties.

Three: whether the outside activity is otherwise incompatible or in conflict with the discharge of the employee's èƵ duties.

Scenario three: (3:17)

If a UA employee takes outside employment to supplement their income is there a limit to the number of hours they can work?

General guidelines are that employment under 10 hours is not generally regarded as interfering with the employee's primary duties to the èƵ.

If the outside activity is taking 27.5 hours or more per week, the ethics supervisor will have to look closely to see how the employee and the work supervisor are working to manage that time commitment without interfering with the èƵ duties.

In between that 10 hours and 27.5 hours, deference will be given to the work supervisor's judgment about how well the particular employee will manage the commitment while giving primary attention to their UA duties.

If outside work is occurring during regular èƵ work time the employee may need to take annual leave or faculty time off, or adjust their regular working hours with their supervisor's permission.

Scenario four: (5:13)

What about volunteer work?

Some volunteer work should be reported if it takes time away from the employee's official duties; limits the scope of the employee's official duties; or is otherwise incompatible or in conflict with the proper discharge of the employee's official duties. Employees should report official positions within outside organizations (e.g. Board Membership, Officer position).

Scenario five: (6:13)

Outside the July 1 annual reporting requirement when does an employee need to file a report?

The statute requires that the report be made annually, around July 1st, even if nothing has changed about the outside activity.

If an employee takes on a new outside activity, or there are significant changes to a current activity, then a new disclosure needs to be made.

If you have any ideas for future "Compliance Chats" please go ahead and email us at

#1 Gifting Guidelines for UA Employees

[December 2022] As we are nearing the holidays, in this inaugural "Compliance Chat" Mary Gower is joined by Andrew Harrington to discuss gifting compliance guidelines. They address four scenarios about employees receiving gifts and the best way to handle each situation.

Scenario one: (00:22)

A software vendor is taking their top èƵ clients out for an expensive dinner. How should one proceed?

You should politely decline the invitation, or if you decide to go, you should insist on paying for your own $100 dinner rather than accepting the gift. As èƵ employees we're not allowed to accept or receive gifts under circumstances in which it would reasonably be inferred that the gift is intended to influence our professional actions, or decisions, or judgment.

Scenario two: (01:28)

An employee at convocation wins  a èƵ sweatshirt. What do they need to do?

As long as it was somebody from the èƵ who was tossing out the sweatshirts, you're fine keeping the sweatshirt, and you don't have to report that as a gift. Anything that you get from our employer is not a gift. The Executive Branch Ethics Act focuses on gifts from third parties intended to influence our actions or judgment.

NOTE: While gifts from UA to its employees need not be reported under the EBEA, UA under certain circumstances may have to report the gift value to the IRS as employee income.  This applies to any cash or cash equivalent gift regardless of amount, and to non-cash gifts that exceed a de minimis value.

Scenario three (02:30)

A vendor sent me a tower of holiday treats with meats and cheeses - a $250 value. Can I keep this gift? Do I need to do any reporting on it?

You will need to report it. Take the perishables and try to give them to the food bank, or the soup kitchen: someplace that will be able to take advantage of them, because you cannot keep it for yourself. Next best would be to treat it as a gift to the entire èƵ, and distribute those as widely as possible among your department, or your unit, or your èƵ. Send a polite thank you note saying that you will not be able to accept gifts like that in the future.

(03:52) I see less expensive gifts over the holidays like a tin of popcorn, or a box of cookies, or things like that. Do those have the same rules?

State law says that a gift of under $150 does not need to be reported; and an occasional gift of fifty dollars or less is not presumed to be designed to influence our official actions or judgment. 

The èƵ has a stricter standard. We're not supposed to accept any gifts from any entity that go above the level of something like a coffee cup or a pen or a calendar.

Scenario four (04:45)

I'm at a conference, and they do a drawing for next year's registration - thousand dollar value - and my name is drawn. How do I handle that in regards to compliance?

As long as that registration discount is available to the èƵ rather than to you personally, then you can accept that, and whoever the èƵ may decide to send the next year can take advantage of that discount. It's not benefiting your own personal or financial interest, that's benefiting the èƵ.

Where do people go for more information? (06:12)

The General Counsel's office has a website specific to the Executive Branch Ethics Act and associated èƵ policies. /counsel/ethics-information/

The state of èƵ has its own website specializing in the Executive Branch Ethics Act.

For each one of the universities the HR senior business partner serves as the ethics designee. Or you can contact the General Counsel office. such as the Executive Branch Ethics Act (EBEA). Acceptance of gifts is covered in the EBEA, which serves at UA’s Standards of Ethical Conduct.  



NOTE:  While gifts from UA to its employees need not be reported under the EBEA, UA under certain circumstances may have to report the gift value to the IRS as employee income. This applies to any cash or cash equivalent gift regardless of amount, and to non-cash gifts that exceed a de minimis value.